Quote Of The Year

Quote Of The Year - Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

Wednesday, July 23, 2008

Data Security – A Pervasive and Difficult Problem.

In the last week or so the Poynter Review reported in the UK Treasury.

The background to the review is covered here.

The Poynter Review

On 20 November 2007, the Chancellor appointed Kieran Poynter, the Chairman and Senior Partner of PricewaterhouseCoopers, to investigate the circumstances that led to the significant loss of confidential personal data on Child Benefit recipients and other recent losses of confidential data and the lessons to be learnt. Kieran Poynter published his final report on 25 June 2008.

Media links

After the review was published an opinion piece appeared in the London Financial Times.

Data security is not just a matter of technology

By Kieran Poynter

Published: July 15 2008 18:57 | Last updated: July 15 2008 18:57

The recent spate of high-profile data security breaches and the regulatory responses to them have once again thrust issues of data management into the limelight. I have spent the past few months looking at the issue and talking to leaders from the private and public sectors about data security issues. What has emerged is that there is a decided lack of ownership when it comes to data security, which cuts across all organis­ations.

There is a widespread perception that information security is an information technology issue and that produces a tendency to focus on security safeguards such as encrypting data on laptops, preventing use of USB memory sticks, password protection and so on. However, even in these areas experience shows that there is a long way to go.

Technological measures risk creating a false sense of security. Most breaches are the result of quite mundane physical factors and are essentially caused by process failures and/or people simply not knowing what to do.

Organisations can have all the policies and processes they like, but if their culture and values, management systems and scrutiny are not joined up in a clear governance framework, this lack of integration lends itself to data security exposures.

As the volume and depth of personal information that organisations hold on their customers, employees – indeed, on all of us – continue to grow, so do the potential regulatory, legal and reputation risks associated with failing to keep that data secure. While more and more businesses are taking data security seriously, the fact remains that serious breaches are on the rise, as is malicious activity by criminals seeking access to companies’ personal data.

Organisations with weak data security are generally also weak in terms of wider risk management and governance. So a failure adequately to manage information security risks is often symptomatic of broader risk issues or a fragmented governance framework.

More here (subscription required):

http://www.ft.com/cms/s/0/525bc6ec-526d-11dd-9ba7-000077b07658.html?nclick_check=1

Poynter review: HMRC has radically reduced security risks

Richard Thurston | Jun 27, 2008 10:25 AM

HMRC has radically improved its data security measures since the breach which caused it to lose 25 million child benefit records in October last year.

PwC chairman Kieran Poynter, the man tasked to investigate what happened in the catastrophic HMRC data breach, has revealed that significant progress has been made since the disastrous information leakage last October

Those are the thoughts of Kieran Poynter, chairman of Price Waterhouse Coopers, whose review into the data breach was published yesterday.

The positive statement was published as part of a largely critical report which said there were "serious institutional deficiencies" and "no visible management of data security at any level" of HMRC.

But Poynter did take the opportunity to outline HMRC's achievements since the breach.

Among the more important he picked out were:

- Creating a new post of director of data security;
- Issuing clearer at-a-glance data security guidance, which gives examples of what can be sent by what mechanism, and in what circumstances;
- Mandatory attendance at a half-day information security workshop for all staff;
- A review of post room processes and practice to identify high risk security issues;
- Locking down write access to removable drives, with reversal of that policy only able to be made by a small number of designated personnel;
- A ban on the use of unencrypted laptops outside secure premises;
- The introduction of new controls for bulk data transmissions;
- Progress on developing a mechanism for secure electronic transfer of information with external partners.

"I am pleased to say that HMRC has significantly reduced the risk of further data loss since the incident," said Poynter.

More coverage is available here.

http://www.securecomputing.net.au/News/115363,poynter-review-hmrc-has-radically-reduced-security-risks.aspx

The broader picture is revealed in the following from the BBC.

MoD admits loss of secret files

More than 100 USB memory sticks, some containing secret information, have been lost or stolen from the Ministry of Defence since 2004, it has emerged.

The department also admitted that more than 650 laptops had been stolen over the past four years - nearly double the figure previously claimed.

The Liberal Democrats condemned the latest security breaches as evidence of "shocking incompetence".

But the MoD insisted its policies were "generally fit for purpose".

Previously the MoD had confirmed that 347 laptops were stolen between 2004 and 2007.

The Mod said it has no idea on when, where and how the memory sticks were lost.

Defence Secretary Des Browne issued revised figures after "anomalies in the reporting process" were discovered.

The official total is now 658 laptops stolen, with another 89 lost. Just 32 have been recovered.

In a separate response, ministers said 121 of the department's USB memory sticks had been taken or misplaced since 2004.

Some 26 of those went this year - including three which contained information classified as "secret" and 19 which were "restricted".

BBC security correspondent Frank Gardner said the incident was "embarrassing" for the MoD as they had no idea how or when they had been lost or stolen.

Liberal Democrat MP Sarah Teather received the information after tabling a question in parliament.

Ms Teather said: "It seems that this government simply cannot be trusted with keeping sensitive information safe.

"This shows a shocking degree of incompetence."

Shadow defence secretary Liam Fox said: "To treat national security in such a cavalier fashion is unforgivable."

A Ministry of Defence spokesman said any loss of data was subject to a full inquiry and measures were being put into place to improve data protection.

Much more with multimedia here:

http://news.bbc.co.uk/1/hi/uk/7514281.stm

When one adds this to all the stories of loss of hospital records from the US it seems just no-one has worked out how to keep sensitive information safe. It seems it even happens in Wales!

NHS trusts lose confidential data

By Brian Meechan
BBC Wales political reporter

More than 150 incidents of data being lost at NHS trusts across Wales have put patient and staff details at risk.

Among the examples over a three year period, patient details from an entire children's ward in Wrexham were found on a piece of paper in a puddle.

In another revealed by BBC Wales after Freedom of Information (FOI) requests, a highly confidential child protection file was sent to the wrong address.

Health Minister Edwina Hart said she was "quite horrified" by the findings.

She said staff losing such data should be disciplined.

The cases were revealed in responses to BBC Wales to FOI requests to the trusts, which provide services through hospitals, health centres and clinics.

http://news.bbc.co.uk/2/hi/uk_news/wales/wales_politics/7509151.stm

As it almost always is, we find it is the people and the systems that have let us down and allowed the leaks of information to occur.

The story of what happened with the UK Customs Service makes a great and very educational read and describes well systemic failures and how they should be addressed once identified.

The reports are well worth a read – especially if you are a manager responsible for handling any sensitive information!

David.

1 comment:

Teki said...

The ALRC Inquiry into Privacy will be very good reading. There was a report in the AFR by Michael Crawford on Tuesday, where David Weisbrot reflects on the Privacy Act of 1988 "There were a few clunkers but in 25 years it's hard to predict the pervasiveness of taking a photograph with a mobile telephone and putting the picture on the internet for the whole world to see."
I think the ALRC will have some very interesting things to say about health information.